Security Intelligence
Loading table of contents...
At a glance: A critical vulnerability in the open-source AI framework Langflow is being actively exploited, allowing unauthenticated remote code execution on exposed instances. The flaw affects versions up to 1.8.1 and enables attackers to execute arbitrary Python code via a public API endpoint, potentially leading to data exfiltration and persistent access. Exploitation began within hours of disclosure.
Threat summary
Security researchers are reporting on an active exploitation of a critical unauthenticated remote code execution vulnerability in Langflow, patched on March 17, 2026.
Langflow is an open‑source Python framework used to build AI agents and workflows, making it a common component in early-stage AI development environments and internal research platforms that often connect to sensitive data sources and cloud services.
The flaw, tracked as CVE-2026-33017, affects all Langflow versions up to and including 1.8.1 when deployed in configurations that expose a specific unauthenticated endpoint.
The vulnerability resides in the flow‑build endpoint (`POST /api/v1/build_public_tmp/{flow_id}/flow`), which allows public flows to be created without authentication. If this endpoint is reachable from the internet, an adversary can interact with it directly and execute arbitrary Python code on the underlying server.
The vulnerability carries a CVSS score of 9.3 and is classified as critical. Successful exploitation allows an adversary to access environment variables, modify files, exfiltrate data, and establish persistent access, depending on the server’s permissions and connected services. Maintainers of the project released version 1.9.0 which removes the vulnerable functionality.
Exploitation began on March 18, less than 20 hours after the vendor advisory was published. Researchers concluded that attackers likely developed working exploits directly from the advisory, as no public proof‑of‑concept code existed at the time.
Analysis
Organizations running Langflow 1.8.1 or earlier could be affected if the vulnerable endpoint is exposed externally. Instances used in research environments, proof-of-concept AI projects, or developer sandboxes face elevated risk because testing deployments often expose individual API routes to the internet without strict access controls.
The actual impact depends on how Langflow is deployed, what permissions it runs with, and what systems or data it connects to. The flaw affects the single endpoint, and exploitation also requires the adversary to know or discover a valid flow ID, which is easy in many deployments but not universal.
Updating to Langflow version 1.9.0 or later removes the vulnerable functionality entirely. For environments that cannot upgrade immediately, organizations should block access to POST /api/v1/build_public_tmp/{flow_id}/flow endpoint from the public internet.
For deployments that need to remain externally reachable, consider placing Langflow behind a VPN, zero‑trust gateway, or reverse proxy enforcing authentication before any API access. Because exploitation allows access to environment variables and other sensitive resources, organizations should rotate credentials, API keys, and service tokens that may have been exposed.
Finally, instances that had the vulnerable endpoint accessible should be reviewed for signs of compromise, including unexpected outbound connections, modified files, or persistence mechanisms.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
